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Abstract. We present a novel scheme to the coverage problem, introducing 
a quantitative way to estimate the interaction between a block an its envi- 
ronment. This is achieved by setting a discrete version of Green's Theorem, 
specially adapted for Model Checking based verification of integrated circuits. 
This method is best suited for the coverage problem since it enables one to 
quantify the incompleteness or, on the other hand, the redundancy of a set 
of rules, describing the model under verification. Moreover this can be done 
continuously throughout the verification process, thus enabling the user to 
pinpoint the stages at which incompleteness/redundancy occurs. 
Although the method is presented locally on a small hardware example, we 
additionally show its possibility to provide precise coverage estimation also for 
large scale systems. We compare this method to others by checking it on the 
same test-cases. 



1. Introduction 

While automatic verification methods (s.a. Model Checking, etc.) permit quite 
accurate formulation of rules describing concurrent systems, the coverage problem 
is still open. This problem can be stated as ones ability to know that a certain set 
of rules covers all possible behaviors of the system and if so, whether this set is 
optimal, in the sense that it does not contain redundancies. 

This problem, besides being a very challenging research problem, also plays a crucial 
role in industrial implementation of verification methods, in aspects of manpower, 
time and, (of course, finance. 

While different methods to attack this problem where proposed (see [KGGj . |HKHZ| . 
|AS| ). it is still largely open. 

In this paper we present a novel scheme to the coverage problem, introducing a 
quantitative way to estimate the interaction between a block an its environment. 
This is achieved by setting a discrete version of Green's Theorem, specially adapted 
for Model Checking based verification. 

This work was inspired by the well known principle of Model Checking that a well 
written environment dictates the formulation of the system's rules; indeed the rules 
governing the system and the description of its physical proprieties should be re- 
garded as almost mirror images of each other. On a more theoretical level, resides 
the idea of viewing a flow of information in an analogous way to the electromagnetic 
(or energy) flow and the computation of its mean flux, i.e. pressure. The main idea 
behind the results presented herein is the adaptation of the symmetry principle to 
the flow setting, adaptation which states that the mean pressure of information is 
constant, (i.e. the informational system is in dynamic equilibrium). 
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This method is best suited for the coverage problem since it enables one to quan- 
tify the incompleteness or, on the other hand, the redundancy of a set of rules, 
describing the model under verification. Moreover this can be done continuously 
throughout the verification process, thus enabling the user to pinpoint the stages 
at which incompleteness/redundancy occurs. The method we present here does not 
permit the complete automation of the coverage-checking process (thus making the 
verifier's role redundant), since it doesn't guarantee completeness of coverage, but 
only that inconsistencies or redundancies are discovered. Thus it is yet another 
instrument in the arsenal of the experienced verifier, and one that is extremely 
easily to use without any further specialization. Moreover, it can be readily added 
as supplementary feature, to any existing industrial machine. 

The paper is organized as follows: In Section 2 we give the basic preliminaries and 
show how to formulate Green's Theorem in the context of pressure of information. 
In this section this is done in a basic, local setting of individual blocks composing 
a system (i.e. silicone "chip"). In Section 3 we compare this method to the one 
presented in pCTTG] . by applying it to the same test-cases presented therein. In 
Section 4 we show how this method naturally extends globally to large scale units 
and can be implemented up to the level of integrated circuits. This extending abil- 
ity enables one to get the most out of this method, since it makes it possible to 
unify all stages of the development, from the architect, through the designer, to the 
verifier. Moreover, this method relieves the verifier from the need of unnecessary 
presumption that the verification of a neighboring unit has been done correctly; in- 
stead it gives verifying tools to easily quantify this correctness. Finally, in Section 
5 we gives outlines for future research. 

2. Theoretical Setting 

2.1. Definition and Notations. In this section we give the basic background and 
notations. A brief discussion on Green's Theorem is given in the Appendix. 

Definition 2.1. A block B is a punctured topological disk i? ~ Z) \ {pi, 

s > 0; where D denotes the closed unit disk D = {z G C'^ \ \z\ < 1}. 

The environment of a block B, env{B) is the complement of B U {pi,...,Ps} = 

i?2\D. 

A block and its environment share a common boundary and communicate with 
each other via input /output messages. 

Definition 2.2. An information unit is a signal s that may have the values 0, 1. 
A message is a pair toj, — (± n; si, s^), where -l-n is the unit normal vector 
pointing outward form the block, toward env{B), and {si, ■■■,Sk} is a set of infor- 
mation units. 

An input is a message of the form: i = (— n; si, Sk)', while an output is a message 
of the form: a — {+ n; si, Sk)- 

The punctures also connect with the block via sending/recieving messages where 
the directions are ± n with respect to the boundary of a small disk neighborhood 
of a puncture point. A puncture will be called a sink if all its messages are outputs, 
and a source if all its messages are inputs (where the orientations of the normal 
vectors are considered with respect to the block B). 



A DIGITAL VERSION OF GREEN'S THEOREM AND ITS APPLICATION TO THE COVERAGE PROBLEM IN FORMAL VERIF 



Remark 2.3. We refer mainly to typical punctures of sink or source types, but of 
course, "mixed" punctures are also possible (therefore they are to be considered). 

Example 2.4. The block illustrated in Fig.l has - relatively) to the outer boundary 
- an input message: (— n;ack) and output message (+n;req, wr). It also has a 
puncture p = s_ of type source; its messages being: (— n ; signl) and (— n ; sign2). 
It should be noted that a message is appears only if its signals are asserted, i.e. 
as unit signals; that is we identify (+n;req, wr) with the vector (+n;l,l) (or 

(+i;i,i);- 



env(B) 



+n;req,wr) 



0(env(B)) 



(-n;si pn2) ^ (-n, sig nl ) 
p=s_ 



x(-n;ack) 



Figure 1 . A typical block 



2.2. Main Theorem. 

Definition 2.5. For each message (i.e. input, output, sink/source) we define a 
measure fi - the information pressure - according to: 

^(i) =^(n;si,...,Sfc) = fc; 
Ai(o) = A*(-n;si, ...,si) = -I; 
fi{si) =^(n;si,...,Sp) 
/^(so) =Ai(-n;si,...,s,) = -q. 

Remark 2.6. Again, we allow the existence of "mixed" punctures. In this case the 
measure associated which such a puncture is the arithmetic sum of its signals, con- 
sidered with sign "+" if they relate to a output, and with a "— " if they correspond 
to an input. 

Example 2.7. Consider the puncture p with messages: (+ n ; si, S2), (+ n ; S3) , 
(-l-n; 54,55). Then: fi{p) = 2 + 1 ~ 2 ^ 1. 

With these notations we are in a position to formulate Green's theorem for 
blocks: 

Theorem 2.8. Let B be a block of (with) outputs o{B), inputs i{B) and sink/ sources 
p{B) — p-\-{B) +p^{B), where p{B) denotes the set of punctures of the block B. 
Then the following holds: 

(2.1) '^(*) + E + E = 

iei(B) oeo(B) P&P(B) 
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Proof Given a block B, every input /output signal is uniquely identified with a 
point on the boundary Fr{B) with a length element given by the measure ^ of the 
signal. Since overall-time information is conserved, applying Grenn's Formula on 
such a block gives: 




Example 2.9. The following simple rule relative to the block of Example \2.4\ illus- 
trates the method of implementing Formula \2.1\ 

AG ((-lack A req A wr) ^ AF ack) p 

Since req and wr are outputs, they both contribute with a while ack, being 

an input, adds a "—1" to the general balance, so the measure variance associated 
to the rule g is A(p) = 1 + 1 — 1 = 1. Note that - as stated before - we count only 
the asserted signals. 

We shall show in Section 3 how to add the variances of individual rules in order to 
get the global variance A(i3). 

Note Formula l2 . II should be understood as a qualitative indicator for the coverage 
of a given set of rules, hence this set is assumed to satisfy the following postulates: 

(1) Every input /output appears at least once in the set of rules, otherwise one 
could have, for instance the following set of rules, which consists of only 
one formula: 

Si : AG (req — > AX ack) pi 

which satisfies 12.11 but evidently will not represent a complete set of rules 
for a realistic arbiter. 

(2) If a set of rules does not satisfy [TTl it is guaranteed to be either incomplete 
or to have redundancies. On the other hand, sets of rules may satisfy [TTl 
but still be inconsistent, such as the following: 

J AG (req AX ack) pi 
\ AG (req ^ AX AX ack) p2 

Indeed, if "ack" is - as it normally does - a "pulse" signal, then pi and p2 
will not be always satisfied in tandem by any normal system. 
Also, the following system contains a redundant rule: 

J AG (req AX ack) pi 
^' \ AG (req ^ AF ack) ps 

since if pi holds, then gg, is obviously redundant. However it still obviously 
satisfies [2. II so a direct application of Theorem 12 . 81 will not reveal this fact. 
Therefore, it is imperative that the formalist satisfies the following: 

Fairness Assumption The set of rules consists only of relevant rules and does 
not contain deliberate redundancies. 
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Remark 2.10. Although, as shown in the previous Note, the given method does 
not give a completely automatic tool to solve the coverage problem, it gives the user, 
especially the skilled verifier, a numerical assessment of the block's complexity. Two 
important conclusions ensue from this: 

On one hand, a well formulated set of rules enables one to actually compute the 
complexity of the internal structure of the block, as this is expressed by the pressures 
contributed by the punctures, thus allowing a paradigm shift from the black-box 
concept to that of semi-transparent blocks. 

On the other hand, it gives the verifier of neighboring blocks a computational 
tool for checking relative correctness along the common interface. This advantage 
becomes even more effective in pipelining units, for which the boundary interface 
is the simplest possible. 

3. Case Studies 

This work was partially motivated by the work of Katz, Grumberg and Geist 
(see |KGGj ) . We will demonstrate the application of l2.1l to the examples given in 
the paper mentioned above, and compare the results obtained and the efficiency of 
both methods. 

Their main example consists of a synchronous arbiter A having two inputs: reql 
and req2 and two outputs: ackl and ack2 (see Fig. 2). 



(-n;req1) 
(-n;req2) 

A 



(+n;ack1) 

> 

(+n;ack2) 



Figure 2. Arbiter 



This arbiter's behavior is (cf. |KGGj ^) is described by the following complete set 
of rules that contains no redundancies: 

AG [(-reql A ^req2) AX(-iackl A ^ack2)] pi 

AG [(reql A -.req2) AXackl] p2 

AG (-ireql A req2) AXack2] p3 

AG [(reql A ack2) AXackl] P4 

^ ^ AG [(req2 A ackl) AXack2] P5 

■ I A [(^reql V ^req2 V ackl V ack2)W(reql A req2 A -.ackl A ^ack2 A AXackl)] pe 
(reql A req2 A ^ackl A ^ack2) AX[ackl 

A [(^reql V ^req2 V ackl V ack2)W(reql A req2 A -.ackl A ^ack2 A AXack2)]] pr 
(reql A req2 A ^ackl A ^ack2) AX[ack2 

A [(^reql V ^req2 V ackl V ack2)W(reql A req2 A -.ackl A ^ack2 A AXackl)]] ps 



The computation of the variances for the rules above is summarized in the table 
bellow: Then A{A) = A(pi) + ... + Aips) = +3. That is: 



Up to some minor modifications 
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Message Type 




Rule 


Input (s) 


Output (s) 


A 




reql 


req2 


ackl 


ack2 




Pi 

















P2 


1 





1 








P3 





1 





1 





P4 


1 





1 


1 


+1 


P5 





1 


1 


1 


+1 


P6 


1 


1 


2 


1 


+1 


P7 


2 


2 


2 


2 





P8 


2 


2 


2 


2 






Figure 3. 



P(*) + E ^(°) = +3 7^ 0- 

Thus, in order for 12. II to hold, the arbiter also must have a puncture, responsible 
resulting from the logical complexity of the block. 

Indeed, expressed in the SAIV language, the inner structure of the arbiter is given 
(again cf. IKHHl ) by: 

var 

reql, req2, ackl, acfc2, robin : boolean; 
assign 

init{ackl) :— 0; 

init{ack2) :— 0; 

init{robin) := 0; 
next{ackl) := case 

\reql : 0; 

lreq2 : 1; 

\ackl & !acfc2 : \robin; 

1 ■.\ackl; 
esac; 

next{ack2) :— case 

\req2 : 0; 

\req\ : 1; 

lackl & \ack2 : robin; 

1 :\ackl; 
esac; 

next{robin) :— if reqlk:,req2h\acklh\ack2 then \robin 
else robin endif; 

Therefore, a more realistic representation of the arbiter would be given by Fig. 4: 
Since "robin" is asserted iff "ackl" or "ack2" are asserted, the signal "robin" will 
appear three times and, since it is emitted by the puncture towards the arbiter, its 
sign will be "-". Thus X]pep(A) Pi^) — as required and, indeed, the fact that 
the system S is complete and contains no redundancies is expressed by the fact 
that the variance we have found (A — 3) exactly balances with the contribution of 
the internal logic due to the "robin" puncture. 
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(-n;req1) 



;-n;req2) 



o > 

P (-n;robin) 



(+n;ack1) 



> 

(+n;ack2) 



Figure 4. An Improved Arbiter 



We further test our method by applying it on the same variations of the main ex- 
ample as considered in jKGG| and concisely comparing the results. 
The first variation is produced by replacing rule pi by p'^, thus considering the mod- 
ified system S' , and also modifying the internal structure of the arbiter by inserting 
the new lines bellow: (Here and in the following examples the new/modified rules 
appear in bold characters.) 



S' 



AG [(-reql A ^req2) AX(-iackl A -iack2)] pi 

AG [(reql A ^req2) AXackl] p2 

AG (^reql A req2) — > AXack2] P3 

AG [(reql A ack2) AX(ackl V ack2)] p'^ 

AG [(req2 A ackl) — > AXack2] ps 

A [(-reql V -ireq2 V ackl V ack2)W(reql A req2 A ^ackl A ^ack2 A AXackl)] pe 
(reql A req2 A -lackl A -iack2) AX[ackl 

A [(-ireql V -ireq2 V ackl V ack2)W(reql A req2 A ^ackl A ^ack2 A AXack2)]] 
(reql A req2 A -.ackl A -iack2) AX[ack2 

A [(-ireql V -ireq2 V ackl V ack2)W(reql A req2 A ^ackl A ^ack2 A AXackl)]] ps 
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Irobin; 
{0,1}; 



reql, req2, ackl, ack2, robin : boolean; 
assign 

init{ackl) :— 0; 
init{ack2) :— 0; 
init{robin) := 0; 
next{ackl) := case 
\reql : 0; 
\req2 : 1; 
\ackl & \ack2 
robin & ack2 
1 :\ackl; 
esac; 

next{ack2) :— cat 
\req2 : 0; 
\reql : 1; 
\ackl & \ack2 
ack2 :!next(ackl); 
1 :\ackl; 
esac; 

next[robin) := if reqlEzreq2h\ack\h\ack2 then Irobin 
else robin endif; 



robin; 



These changes produce a positive overall variance A{A') 3 > 0; thus indicating 
the unbalance introduced due to redundancy the System of Laws fitting, to the 
" Unimplemented Transition Evidence^'' considered in |KGG| ). The next example 
relates to the so called " Unimplemented State Evidence^'' of |KGGj . It is produced 
by introducing an internal auxiliary variable of " input" type , thus augumenting the 
internal complexity of the arbiter, in a way that can not be detected and balanced by 
the rules. In this case the modifications bellow indeed generate a negative A(yl"), 
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as expected. 

var 

reql_temp, req2, ackl, ack2, robin : boolean; 
define reql := reql_temp & !(ackl & ack2); 

assign 

init{ackl) := 0; 

init{ack2) :— 0; 

init{robin) := 0; 
next{ackl) := case 

\reql : 0; 

\req2 : 1; 

\ackl & \ack2 : \robin; 

ackl : {0, 1}; 

1 :!acfcl; 
esac; 

next{ack2) := case 

\req2 : 0; 

Ireql : 1; 

\ackl k. \ack2 : robin; 

1 :!ocA;l; 
esac: 

next{rohin) := if reql & req2 & \ackl & \ack2 then \robin 
else robin endif; 

Finally, we consider the modification bellow: 
var 

reql, req2, reqll, req21, ackl, ack2, ackll, ack21, robin : boolean; 

assign 

init(ackl) := 0; init(ackll) := 0; 

init(ack2) := 0; init(ack21) := 0; 

init(robin) := 0; 
define 
ackl := case 

Ireqll : 0; 

!req21 : 1; 

!ackll&!ack21 : Irobin; 

1 :!ackll; 
esac; 

next{ack2) := case 

!req21 : 0; 

Ireqll : 1; 

!ackll&!ack21 : robin; 

1 :!ackll; 
esac; 

next{robin) := if reql & req2 & lacfcl & \ack2 then Irobin 

else robin endif; 
next(reqll) := reql; next(req21) := req2; 
next (ackll) := ackl; next(ack21) := ack2; 
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Since it is basically produced by multiplying the true original signals, the resulting 
A(A"') is a indeed a multiple of the original (corresponding to the "Many to One" 

(cf. unni). 

Remark 3.1. While the existence of punctures is remarked in [KGGj (the so- 
called " Non- Observable Implementation Variables"), the approach described in the 
mentioned article can not detect them. This emphasizes one of the strengths of the 
method proposed here: it not only detects the above mentioned punctures, but it 
also estimates them numerically. 

4. Global Theory 

Since the coverage problem is more crucial in large scale systems, i.e. for units 
composed of several blocks, it is natural to try to extend the method presented here 
to such systems as well. 

This is possible in the same way that Green's Theorem extends from simply- 
connected regions to multiply connected regions. In this manner we obtain the 
following: 

Proposition 4.1. Let U be a unit with bounded environment components Bj, each 
of which corresponds to some block component of U . For each Bj let denote the 
difference A, = E»g»(s,) l^i^) " Eoeo(B,) ^^(o)- 
Then U satisfies: 

(4.1) ^^^(^)-^Mc/(o)+E^^O 

3 3 3 

where iiu {i) , iJu {o) are the information measures of U w.r.t. its external environ- 
ment component. In short, if we denote AU = J^jf'ui'i-) — X]jMc/(o); then the 
following holds: 

(4.2) A(f/) = -^A, 

3 

Example 4.2. The example described in Fig. 5 represents schematically the con- 
trol unit of a A Bus Interface Unit ( cf. jGLSj ) and its component blocks. Then 

A{Umu) - -{ A{B„m) + A{Brq) + A{Brqctl)) 

Given the technique above, it is evident how to proceed "upward" for larger 
and larger units: we consider an integrated circuit S as top level S = Sq = Lq, its 
composing units as the first level Li = {S'l^m}, their structural subunits as the 2-nd 
level L2 = {S'2,n}, and so on, where, at the "A:"-th level " Sk" denote the elementary 
blocks, so eventually we have the following generalization of Theorem 12.81 

Theorem 4.3. 

(4.3) 

A(^) = A(5o) = - E ^(-^i) = E E(^(^2)) = • ■ • = (-1)' E • • • E ^(^^fc) 

k sums 

Example 4.4. The example presented in Fig. 6 shows a A Bus Interface Unit (cf. 
|GLS| ]. The whole Processor S is designated as level (Lq ), the BIU Ubiu being 
one of he components of level 1 (Li). The drawing (scheme) also shows the building 
blocks ofUbiu, which belong to Level 2(L2). 
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u 



Figure 5. The Control unit of a Bus Interface Unit (following [GLS]) 



Remark 4.5. Theorem 4.3. gives the verifier the ability to encompass a global 
estimate viewpoint of the complexity of a large system, " from top to bottom" , as 
the formula can be readily used at the architectural stage, through the design faze, 
down to the verification stage where. At each stage the more complex units are 
being characterized by having large pressure contributions. Thus permitting the 
immediate extension of Model Checking methods to very large scale systems in a 
manner which is point-wise precise. 

5. Future Work 

Since punctures, blocks, units, etc., display the same arithmetic behavior, it is 
only natural to regard each component at any given level as a puncture of the unit 
of the component containing it and which belongs to next upper level. Therefore 
it appears that the appropriate and promising way to study the intrinsic nature of 
integrated circuits would be by means of Networks and Graph Theory. Such study 
is currently in progress. 

6. Appendix 
Theorem 6.1. (Green) Let S = int{S) C 

an open set in the plane and 
let P,Q : U = int(S) continuously differentiable functions. Let j G S be a 

piecewise smooth simple, closed curve, and let R = int(^) (i.e. c = OR). 
Then: 



(6.1) " l^)"^^"^^ " if ^ ^'^^ 
In vectorial notation (6.1) has the following form: 

(6.2) // divVdxdy = f V ■ lids 

MR J OR 
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Figure 6. A Bus Interface Unit (after [GLS]) 

where V = {Q, —P), div V — ^ — ^ the divergence of the vector field V , 
n = + n is the unit outer normal to dR, and ds represents the length element of 
OR. _^ 
The classical interpretation of (6.2) above is the following: V represents the flux 
density of an incompressible fluid, then divV measures the amount of mass trans- 
ported away from each point per time unit. This quantity differs from zero only 
then there are sinks and/or sources. Thus Jj^divV dxdy measures the amount of 
fluid escaping from (respectively entering) the region R through dR. Therefore 
(6.2) expresses the Mass Conservation Law for R. 
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